More than $3.1 billion in cryptography was lost in 2025 due to issues such as smart contract bugs, access control vulnerabilities, lag pulls and fraud, according to a report by blockchain security auditor Hacken.
This figure for the first half of 2025 totaled over $2.85 billion since the overall 2024.
The distribution of loss types is roughly in line with the trends observed in 2024. Access control exploits are the major drivers of losses, accounting for around 59% of the total. The Smart Contract vulnerability contributed to approximately 8% of the loss, resulting in $263 million being stolen.
Types and total losses of crypto attacks for six months in 2025. Source: Hacken 2025 Six Month Web3 Security Report
Yehor Rudytsia, director of forensic medicine and incident response, told Cointelegraph that the outdated codebase has targeted and observed significant exploitation of GMX V1 from the third quarter of 2025.
“If the project doesn’t stop working completely, the project should be concerned about the old/legacy codebase.”
As the cryptospace matured, attackers shifted their focus from leveraging cryptographic flaws to targeting human and process-level weaknesses. These sophisticated techniques include blind signature attacks, secret key leaks and elaborate phishing campaigns.
Related: $2.1 billion encryption stolen in 2025 as hackers shifted focus from code to users: certik
This evolving landscape highlights important vulnerabilities. Crypto’s access control is one of the most underdeveloped and at risk despite the rise in technical protections.
Defi and Smart Contract reveal vulnerabilities
Operational security flaws have been liable for most of the losses, with $1.83 billion stolen on both the Defi and CEFI platforms. The standout second quarter was Cetus Hack, where $223 million was released in just 15 minutes, earning Defi’s worst quarter since early 2023, halting five-quarters of downtrends due to Exploit-related losses.
Quarterly Debt Loss Source: Hacken 2025 Six-Month Web3 Security Report
Prior to this, Q4 2024 and Q1 2025 saw the domination of access control failures, obscuring most bug-based exploits. However, this quarter, Defi’s decline was just $14 million, the lowest since the second quarter of 2024.
The Cetus attack exploited an overflow check vulnerability in liquidity calculations. The attackers used flash loans to open small positions and took the 264 pool by storm. Hacken said that if real-time totals were locked (TVL) auto-stop monitoring had been implemented, then up to 90% of the funds could have been saved.
AI is poses an increasing threat to crypto security
AI and Large-scale Language Models (LLMS) are deeply integrated into both the Web2 and Web3 ecosystems. This integration causes innovation, but also expands the attack surface and introduces new and evolving security threats.
AI-related exploits are surged by 1,025% compared to 2023, with 98.9% of these attacks being tied to unstable APIs. Additionally, five major AI-related common vulnerabilities and exposures (CVEs) have been added to the list, with 34% of Web3 projects currently deploying AI agents in production environments and increasing targets for attackers.
Traditional cybersecurity frameworks such as the ISO/IEC 27001 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) are not equipped to address AI-specific risks such as model hallucination, rapid injection, and adversity data addiction. These frameworks need to evolve to provide comprehensive governance that includes the unique challenges brought about by AI.
https://www.youtube.com/watch?v=ndv0rfehetq
magazine: Coinbase hack shows that the law probably doesn’t protect you: this is why
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
